Welcome to the SecAware blog

I spy with my beady eye ...

25 Mar 2008

Desperate for data on 25m Brits FINAL UPDATE?

The BBC reports that a substantial reward is on offer for the return of two CD-ROMs that went missing in the post en route between two Government offices. They have searched numerous offices (including TNT, a well-known courier company) and at least one rubbish tip, and have completed some forensic analysis (presumably looking to see if individuals implicated in the incident might have something to hide), but these all came up blank. Having forlornly scaled down the search, a cash reward is now on offer and the British populace is warned to keep an eye out for identity theft or similar incidents.

The report notes several other personal information breaches at the Department concerned, and low staff morale as a result of the latest one. Given the sorry history of incidents, heads should roll. If public servants cannot be trusted to protect sensitive information provided to them by the public they serve, the public have every right to withhold information - but the civil disruption this would cause has far-reaching consequences.

UPDATE 19th Jan: more stories of improper disclosure of personal information by officials are adding to the Government's woes, and more importantly increase the risk of identity theft of British residents. Today we read that (1) a Ministry of Defence laptop, stolen from a car (doh!), contained personal details on 600,000 applicants to join the forces, some of whom will have provided the full nine yards necessary to undergo security clearance; and (2) papers containing personal data on benefits claimants were found strewn across a West country roundabout, for at least the second time in two months. The man who discovered the latest batch of papers found and reported a similar load at the same place in November. We don't know if any more papers might have been lost or abandoned there and discovered by criminals during the last two months, or indeed previously or subsequently. ['Strewn across a roundabout' is a rather extreme example of "unstructured data". An article in December 2007's ISSA Journal on managing unstructured data patiently explains how to get a grip on unstructured data in ten steps, most of which are virtually impossible to do any Real World organization and all of which ignore paper records. Data Leakage or Loss Protection (DLP), another security industry buzzword, likewise deals with a small part of the problem, and not very well at that. \rant]

Who will be held accountable for these security screwups? Will anyone lose their job, be fined or end up in prison as a result? Somehow I doubt it. It is the British Government after all. A press release on AccountingWeb says:
"The Information Commissioner, whose office was established to protect personal information and take appropriate action where the law is broken, described the scale of the loss as “unprecedented” and stated that data protection laws have almost certainly been breached. This loss of information serves as a timely reminder to businesses and organisations that they are legally obliged to ensure the safety of personal information relating to individuals."

UPDATED Jan 20th: a USB stick lost by a hospital worker had personal details of thousands of patients but apparently it's OK because "The loss was an accident rather than any systematic failing in management and governance". I assume from the BBC item that the data on the memory stick were not encrypted. What's more, "diaries containing patients' names and addresses were stolen from staff cars in two separate incidents in June." There are two good examples of "a systematic failure of management and governance", and here's a third: local management evidently decided not to inform the patients about the loss of their personal data because, in their estimation, the data could not be used for identity theft. I hope the patients concerned will complain and the Privacy Commissioner will prosecute the hospital under the Data Protection Act.

UPDATE 22nd Jan: the MoD (that's Ministry of Defence, yes, Defence, Her Majesty's Government department charged with, and paid vast amounts of taxpayers' money to protect the Realm and maintaining the freedom of her people) has now revealed that it has lost laptops with sensitive personal data on potential recruits at least twice before. With typical British understatement, shadow defence secretary Liam Fox called it a "dreadful mess". He really is awfully, awfully sorry.

"Data on the laptop stolen in Edgbaston on 9 January included passport, National Insurance and driver's licence numbers, family details and NHS numbers for about 153,000 people who applied to join the armed forces. Banking details were also included for around 3,700 people ... It is clear that the database files were not encrypted, in breach of MoD procedures ... Some 68 MoD laptops had been stolen in 2007, 66 in 2006, 40 in 2005 and 173 in 2004."

The same BBC news story reports that:
"The new rule on laptops comes in an e-mail from the Civil Service chief, Cabinet Secretary Sir Gus O'Donnell, to all government departments. It said: "From now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises. Please ensure that this is communicated throughout your organisation and delivery bodies and implemented immediately, and that steps are taken to monitor compliance."

New rule? NEW RULE! From now on!! Someone has evidently been asleep at the wheel. The situation is completely out of hand in the UK. Government departments cannot ignore the law and have a clear duty to protect the personal information entrusted to them by citizens. They need to be held to account. If not, citizens will, quite justifiably, withhold their information from public bodies, like for example the tax office and social security department ... and there lies the route to anarchy.

UPDATE Jan 26th: The BBC reports that:
"Marks and Spencer has been found in breach of data protection rules after the theft of a laptop containing the personal details of 26,000 employees. The Information Commissioner's Office (ICO) said the data on the laptop, which was stolen from the home of an M&S contractor, was unencrypted. The ICO has ordered M&S to make sure all laptop hard drives are fully encrypted by April 2008."

So it would appear that laptop encryption is now mandatory in the UK for any organization handling personal data!

UPDATE 5 Feb 15th: 5,000 patients of a Dudley hospital face anxiety over possible identity theft thanks to the theft of a laptop. We're told the laptop was "password protected" which, as we all know, is spin on "not encrypted".

"A spokesman for the trust said the laptop and database were protected with two separate passwords, making it very difficult to access. He added: "We would like to apologise for any concern this matter has caused those patients affected and would like to reassure them that the information on the database is unlikely to be recoverable."

Yeah, right.

UPDATE #6 22 Feb 08: personal medical records on 3,000 patients in Bolton were dumped in landfill. Eee, it's grim up North.

UPDATE #7 Leapday: some good news at last! A laptop and CD which appears to have belonged to the Home Office has been recovered by Police after it was purchased on eBay and sent to a repair shop. Even better news is that the CD and laptop were encrypted. Police are investigating how it ended up there. The repairman should be congratulated for reporting it. As to whether Al Qaida is now moving into the laptop repair business, we can only speculate.

UPDATE #8 - the final update? With no end in sight, I'm getting bored of this blog item, so it's time to close with perhaps just a little hope for the future. I've just chanced across a Liberal Democrat's blog listing several security/privacy incidents that I've mentioned here and a few more for good measure. The blogger, Frank Little, describes himself as a semi-retired hack computer programmer. I'm not entirely sure if that's hack as in journo or hack as in hacker, but at least he has an obvious interest in the UK's data protection mess. Vote wisely at the next election!

No comments:

Post a Comment